Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex from variable

bobweinerjr
Explorer
‎07-02-2019 03:20 AM

I would like to store a regex pattern in a variable and use it to extract data. I've seen lots of similar questions but haven't been able to figure this out.

I can do the following

| makeresults count=1 | eval val=4 | rex field=val "(?<dig>\d)"

but I cannot 

| makeresults count=1 | eval val=4 | eval ptn="(?<dig>\d)" | rex field=val ptn

Ultimately, I would have regex patterns stored in a CSV file and use lookup to get the correct pattern for a given query. It seems the above would a minimal implementation of this strategy.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2019 12:38 PM

Also note that both match() and replace() will pull RegEx from inside of a field name.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2019 07:09 AM

This is probably more what you are looking for:

https://answers.splunk.com/answers/386488/regex-in-lookuptable.html

0 Karma
Reply

bobweinerjr
Explorer
‎07-04-2019 01:07 PM

That's great. Going to try that out.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-05-2019 06:46 AM

Be sure to UpVote over there and come back here to Accept an answer if it works out.

0 Karma
Reply

oscar84x
Contributor
‎07-02-2019 06:24 AM

You could use a transforms.conf stanza with the extract command to accomplish this.
Transforms would be your storage for your regex pattern and then you'd invoke it with extract during your search, or you can apply it automatically in props.conf

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Extract

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-02-2019 05:18 AM

You can use map

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)" 
| map [ search | rex field=val $ptn$]
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-02-2019 06:46 AM

It would actually be:

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)"
| map search="| rex field=val $ptn$"

Except that the search results don't go into the map command for val in that way, and you can't send the val value into the search like this:

| makeresults count=1 
| eval val=4 
| eval ptn="(?<dig>\d)"
| map search="| rex field=$val$ $ptn$"

because the val value isn't a field name. So you are stuck between a rock and a hard place. The rex command requires a quoted string for the regex that it will use, not a field. I don't know of a way that you can do what you are wanting to do.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-02-2019 10:01 AM

I always mess up the syntax of map... apologies

0 Karma
Reply

bobweinerjr
Explorer
‎07-02-2019 11:13 AM

quite alright. I appreciate the input and will learn from it anyway.
unfortunately, we had a power outage on campus this morning and Splunk is not the first thing restored so it won't be today 😞

Reply

jkat54
SplunkTrust
SplunkTrust
‎07-02-2019 01:05 PM

Here's what I meant to post:

 | makeresults count=1 
 | eval val=4 
 | eval ptn="(?<dig>\d)" 
 | map search="search index=yourindex | rex field=val $ptn$"

OR:

 | inputlookup yourlookup.csv 
 | map search="search index=yourindex | rex field=val $regexFieldInLookup$"
0 Karma
Reply

bobweinerjr
Explorer
‎07-02-2019 05:41 AM

Didn't know about map. That seems useful.

This search did not work for me, though.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top